© Provided by The Washington Post

On March 23, lawmakers crowded into a packed Capitol hearing room to harangue the CEO of the social app TikTok about the company’s Chinese ownership and the risks it posed to U.S. national security. Months earlier, President Biden had signed a bill banning TikTok from federal employees’ devices, to prevent sensitive information from falling into the wrong hands.

What the members of Congress didn’t know was that state secrets had been trickling out for months on social media and were beginning to circulate in ever-wider online forums — not on TikTok, but on U.S.-owned Discord. In the two weeks after the TikTok hearing, those classified documents would make their way into public view on U.S.-owned Twitter — and remain there for days, as owner Elon Musk mocked the idea that he ought to remove them.

The leaks, which included assessments of the Ukraine war and revelations of U.S. spying, didn’t stem from any foreign adversary’s sinister plot. Rather, they appear to have stemmed from a 21-year-old U.S. National Guard member’s desire to impress his online pals.

The Discord document dump is the latest in a colorful 21st-century tradition of secrets spilled online, from WikiLeaks’ earliest uploads to Russian operatives’ hack of the Democratic National Committee. At a time when swaths of the U.S. government are fixated on Chinese spycraft, it serves as a reminder that information leaks in the internet age can come from just about anywhere — a risk the U.S. government has generally accepted as a price of free speech, said Anupam Chander, a law professor at Georgetown University and an expert on technology regulations.

“The internet was never designed with national security at its heart,” Chander said. “It’s inherently vulnerable.”

The hypothetical threats posed by TikTok’s Chinese ownership aren’t about leaked classified documents. They include fears that China’s government might demand or covertly gain access to data on the app’s American users, or persuade the company to secretly manipulate its algorithms in ways that promote or suppress certain ideas. In particular, the ban of TikTok from government devices is meant to guard against the possibility that Chinese Communist Party members or officials could gain access to the personal data of U.S. officials.

There’s no hard evidence that any of those things have happened. Both the Chinese government and TikTok insist they never will, and TikTok has taken unusual steps to limit the exposure of Americans’ data, such as not tracking their precise location using GPS, as countless other mobile apps routinely do. And the Pentagon has official guidance for troops on how to use TikTok safely.

Still, the theoretical possibility has sparked bipartisan furor in Washington. Not content with the government devices ban, some congressional Republicans and Democrats, and the Biden administration, are scrambling for a legal basis on which to ban the app altogether. One approach would give the secretary of commerce special powers to crack down not just on TikTok, but also on whole categories of apps whose parent companies are based in countries designated as “foreign adversaries.”

The fears are understandable. China is known to spy. Barriers between Chinese companies and the Chinese government are flimsy. And President Xi Jinping has put the screws to tech firms in the past.

Yet if the goal is to plug the holes in the U.S. information sphere, banning TikTok and other foreign apps might be like a Band-Aid on a colander.

Some 3 million Americans hold government security clearances, and thanks to the internet, any one of them can connect with, send information to, or get hacked by pretty much anyone else, anywhere in the world, at any time. Edward Snowden, who revealed National Security Agency surveillance programs, and Reality Winner, who leaked an intelligence report about Russian election interference, intentionally publicized classified information for political and moral reasons. A staffer for Hillary Clinton’s 2016 presidential campaign clicked a link in a phishing email that gave Russian hackers access to campaign chairman John Podesta’s login credentials. U.S. forces abroad have inadvertently exposed the location of secret facilities through their use of fitness apps.

Now Jack Teixeira, a 21-year-old member of the Massachusetts Air National Guard, is accused of uploading tranches of classified documents to a private chat group on the social app Discord, mostly just because he could. Reporting indicates that one member of his private chat then uploaded some of the documents to a much larger Discord group, and they gradually spread from there — ultimately making their way onto Twitter and into public view.

Over the years, the largest social networks have attempted, with mixed results, to constrain the spread of certain types of information deemed harmful, from covid-19 conspiracy theories to deepfake videos to hacked private information, especially in public-facing feeds. But keeping a given class of material off the internet entirely has proved nearly impossible; if Facebook and Twitter won’t host Alex Jones or a mass shooting video, some other site surely will. Even child pornography flourishes in the internet’s darker alleys, despite being illegal and aggressively policed.

Chander acknowledges it’s possible that China could obtain compromising information on U.S. officials via secret back doors in an app like TikTok. It’s just that there are so many other ways to obtain compromising information on the internet that the focus on TikTok can feel like a distraction — especially given that the type of information TikTok gathers is “not your typical blackmail material, or your typical espionage material,” Chander said.

“The general tenor of the conversation at the national level has focused our attention on TikTok as if the American people are supposed to galvanize to protect ourselves” by deleting a Chinese-owned short-video app, he said. “Why aren’t we being taught how to protect ourselves from ransomware? Why isn’t there a national campaign to prevent phishing efforts? The Russian [Internet Research Agency] showed they did not have to own Facebook to own Facebook.” Such initiatives, Chander believes, would do far more to secure Americans’ information than a TikTok ban.

The Washington Post reached out to more than a dozen lawmakers active in discussions about national security and technology for comment. Several expressed concerns about the leak, but most did not respond to requests for comment, and none addressed what, if anything, should be done about the role of platforms used to disclose sensitive materials.

Meanwhile, Montana on Friday became the first state to pass a law banning TikTok.

Cristiano Lima contributed to this report.